The present invention relates to computing, and in particular, to a systems and methods for generating constraints for use in an access control system.
Unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Organizations have a need to monitor their business activities and control access to documents in a software system. Access control software may be used to restrict actions of users on a computer system, particularly an enterprise computer system. Generally, many actions (i.e., document transactions or manipulations) can be performed on an enterprise system. For example, possible actions include creating a vendor, paying a vendor, creating a user, or approving a document. Thus, completion of an action may require the authority to access the data associated with the action.
FIG. 1 illustrates a computer system using access control. Access control software 111 may be used to control authorization privileges of users of a plurality of software systems, such as an Enterprise Software System 100, for example. Enterprise Software System 100 may include multiple software systems 101, 150 and 151, for example, which may be Enterprise Resource Planning (“ERP”) Applications, Customer Relationship Management (“CRM”) Applications, or other software systems from SAP®, Oracle®, Microsoft®, or Saleforce.com®, for example. Examples of Enterprise Software Systems include SAP® ERP, Peoplesoft®, JD Edwards® EnterpriseOne, and Oracle® E-Business Suite. Enterprise Software System 100 may be used to manage and run an organization's computer implemented business processes, which may include order fulfillment or billing, for example. In doing so, Enterprise Software System 100 may need to control various computer implemented business operations like manufacturing, supply chain management, financial management, human resources, and customer relationship management. Furthermore, users (e.g., the organization's employees) may interact with Enterprise Software System 100 in order to execute business actions relating to their job functions. In this example, software system 101 may include a plurality of application pages 107A-C that users may access to perform various actions (e.g., creating a purchase order or paying an invoice).
Numerous users may be set up to use the different software systems. In particular, when a new employee of an organization is hired by a company, the user may be given access to specific functionality within one or more systems to perform his or her job functions within the company. Specifically, users may be assigned “roles” 130 that may be used to determine the allowable actions a user may perform, where particular roles have particular access rights within the system. For example, User 1 may be an employee in the Human Resources (“HR”) department. Accordingly, User 1 is associated with “role” 120, which may be give User 1 access to perform particular actions in software systems 101 and 151. Similarly, User 2 may be an employee in the Accounts Payable (“AP”) department, and may be associated with role 121 and given access to perform particular actions in software systems 101 and 150. Likewise, User 3 may be an employee in the Purchasing department, and may be associated with role 122 and given access to perform particular actions in software system 150. Finally, user 4 may be an employee in the Contracts department, and may be associated with role 123 and given access to software functionality in software system 101. In some situations, different users may have a number of different roles within the company, and may have access to corresponding software functionality to perform actions relating to such roles.
To perform their job functions using the various software systems available within the company, each user may be given particular authorizations to perform particular authorized actions in each software systems. For example, User 3 in Purchasing may be authorized to access a purchase order component of a software system and generate a purchase order for a new or preexisting supplier. Authorized actions associated with different roles 130 may be controlled using “permissions” 112. Accordingly, User 3 in an HR role 120 may further be associated with a “permission” to manipulate data so that the amount of the purchase order or the supplier information, for example, can be recorded in the system. Similarly, User 2 in an Accounts Payable role 121 may be authorized to access an invoice payment component of a software system and pay purchase orders received by the company. As with User 1, User 2 may be given permission to manipulate data corresponding to the action of paying the purchase order so that the supplier's bank information or payment terms (e.g., due on receipt or due 30 days after an invoice date), for example, can be recorded in the system.
The permissions (or authorizations) to perform various actions within each software system are typically stored as user account data in a persistent storage mechanism, such as data repository (e.g., a database 102 in FIG. 1) or another computer readable storage medium. Examples of a data repository 102 include Microsoft SQL Server, IBM, DB2, Oracle Database, and MySQL. For example, when an employee enters the company, an information technology (“IT”) employee may create a new user account on each software system that the new user needs to access, and may define the actions and data manipulation permissions the user may require in order to perform his or her job function or role within the company.
It is desirable to have more efficient and comprehensive approaches to controlling access to documents in a computer system. Specifically, it would be advantageous to have an improved access control system for controlling actions on documents in a computer system.